在動態通行碼(dynamic password)鑑定系統中,使用者每次登入所使用的通行碼是動態改變的。在2006年,Wu等人提出了一個「公平的動態通行碼鑑定系統」(WLC scheme)。Wu等人宣稱他們的方法在使用者登入鑑定失敗時,系統可以偵測與判斷鑑定失敗的原因是因為使用者是非法的,或者是因為系統的驗證表格遭到竄改所引起的。然而,我們發現WLC scheme在安全性上有缺失,它沒辦法達到如作者所宣稱的功能。攻擊者可以竄改系統的驗證表格以偽裝成合法使用者的身分,而系統無法偵測出此狀況。另外,攻擊者可以藉由WLC scheme所提供的線上更新通行碼功能更換使用者的通行碼,進而獲得該使用者帳號往後的使用權限。 在同一年,Liou等人提出了一個「具動態身分(dynamic identity)的鑑定系統」(LLW scheme),具動態身分的鑑定系統是為了防止使用者傳送的鑑定訊息洩露使用者的部分資訊而被提出來,Liou等人並宣稱他們的方法可以達到雙向鑑定(mutual authentication)的功能。然而,我們發現LLW scheme會遭受到偽造身分攻擊(impersonation attack);在系統註冊過的使用者可以偽裝成系統的身分與其他使用者進行通訊。並且,在系統註冊過的使用者也可以對其他使用者的通行碼採取離線猜測攻擊(off-line guessing attack)。 In the dynamic password authentication schemes, user's login password is dynamically changed in each user login. In 2006, Wu et al. proposed a fair and dynamic password authentication scheme (WLC scheme). The authors claimed that the server in their scheme can detect the reason when a user fails to login. We find that WLC scheme fails to preserve the fairness as the authors' claims. Adversaries can modify the verification table without being detected by server. Moreover, the on-line password change process is not secure. Adversaries can change users' passwords to arbitrary ones by exploiting the password change process. In the same year, Liou et al. proposed a new dynamic ID-based authentication scheme using smart cards (LLW scheme). The dynamic ID-based authentication schemes are proposed to prevent partial information leakage from users' authentication messages. Liou et al. claimed their scheme can achieve mutual authentication. However, we find that LLW scheme is vulnerable to impersonation attacks, a malicious user can impersonate server to communication with other users and apply the off-line guessing attack on other users.
